Restricted-Use Data Procedures Manual

Size: px
Start display at page:

Download "Restricted-Use Data Procedures Manual"

Transcription

1 Restricted-Use Data Procedures Manual U.S. Department of Education Institute of Education Sciences National Center for Education Statistics IES Data Security Office 1990 K Street, NW Washington, DC Acrobat PDF Version August 2011

2 Publication Information U.S. Department of Education Arne Duncan Secretary Institute of Education Sciences John Q. Easton Director National Center for Education Statistics Jack Buckley Commissioner The National Center for Education Statistics (NCES) is the primary federal entity for collecting, analyzing, and reporting data related to education in the United States and other nations. It fulfills a congressional mandate to collect, collate, analyze, and report full and complete statistics on the condition of education in the United States; conduct and publish reports and specialized analyses of the meaning and significance of such statistics; assist state and local education agencies in improving their statistical systems; and review and report on education activities in foreign countries. NCES activities are designed to address high priority education data needs; provide consistent, reliable, complete, and accurate indicators of education status and trends; and report timely, useful, and high quality data to the U.S. Department of Education, the Congress, the states, other education policymakers, practitioners, data users, and the general public. We strive to make our products available in a variety of formats and in language that is appropriate to a variety of audiences. You, as our customer, are the best judge of our success in communicating information effectively. If you have any comments or suggestions about this or any other NCES product or report, we would like to hear from you. Please direct your comments to: National Center for Education Statistics Institute of Education Sciences U.S. Department of Education 1990 K Street, NW Washington, DC The NCES Home Page is: Printed April 1996 (NCES publication number: 96860rev) Reprinted October 1999 Acrobat PDF Version August 2011 Content Contact: 2

3 Restricted-Use Data Procedures Manual This manual will be provided to organizations interested in obtaining restricted-use data, and to licensed organizations who currently have access to restricted-use data. The goal is to maximize the use of statistical information, while protecting individually identifiable information from disclosure. The Restricted-Use Data Procedures Manual was created to provide a guide to the restricted-use data application process, as well as to explain the laws and regulations governing these data. We hope that this manual answers any questions or concerns you may have regarding obtaining access to restricted-use data. IMPORTANT This manual serves as a procedures guide, but it does not replace the provisions of the actual License document and the required security procedures. The licensee is responsible for all terms and provisions within the License and the required security procedures. Under no circumstances may the database be removed or telecommunicated from the licensee's site. Licensees are subject to unannounced, unscheduled inspections to assess compliance with security requirements. Violations of the Education Sciences Reform Act confidentiality provisions incorporated in the License document are subject to a class E felony and can be imprisoned up to five years, and/or fined up to $250,000. 3

4 Table of Contents Page Introduction 7 Restricted-Use Data 7 Public-Use Data 7 Overview of Laws 7 Licensing Procedures 7 Security Procedures 8 On-Site Inspections 8 Laws Basic Statutes Privacy Act of Privacy Standards 9 Computer Security Guideline E-Government Act of 2002, Title III, Federal Information Security 9 Management Act (FISMA) 1.4 Education Sciences Reform Act of Confidentiality Standards 10 Violations USA Patriot Act of E-Government Act of Licensing Procedures What Data Are Licensed 12 Only Restricted-Use Data Are Licensed 12 Available Restricted-Use Databases What is a License? 12 Memorandum of Understanding 12 License 12 Contracts 13 Content of License Documents Who Needs a License Document 13 Matching Organizations to License Documents 13 Restricted-Use Data and IES Staff 14 Pre-test Monitoring 14 Contractors Applying for a License 15 Summary of Procedures 15 Formal Request 15 License Document 17 Affidavits of Nondisclosure 17 Security Plan Form 18 Receiving the Requested Materials 18 4

5 Page 2.5 Required Licensee Activity 19 Maintaining the License File 19 Submitting Research Publications 20 Passing On-Site Inspections 20 Outside Requests for Data Amending a License 21 Add User Amendment 21 Delete User Amendment 22 Add Database Amendment 22 Modify Security Plan Amendment 23 Extend License Amendment 23 Close-Out License Amendment Applicant/Licensee Record 25 Security Procedures Introduction 28 Basic Statutes 28 IES Statutes 28 Other Statutes Risk Management General Security Requirements 29 Assign Security Responsibilities 29 Complete Security Plan Form 30 Restrict Access to Data 30 Use Data at Licensed Site Only 30 Respond to Outside Request for Subject Data 31 Return Original Data to IES Physical Handling, Storage, and Transportation 31 Protect Machine-Readable Media and Printed Material 31 Avoid Disclosure from Printed Material Edit for Disclosures Only One Backup Copy 32 Limit Transporting of Data Computer Security Requirements 32 Standalone Computer Limit Room/Area Access Standalone Desktop Computer Security Model Passwords Notification (Warning Screen) Read-only Access No Connections to Another Computer Lock Computer and/or Room Automatic Shutdown of Inactive Computer Do Not Backup Restricted-Use Data

6 Staff Changes Overwrite Hard Disk Data 3.6 License User Training On-site Inspections On-Site Inspection Procedures 37 License Procedures 37 Security Procedures and Security Plan Form On-Site Inspection Guideline Violations, Penalties, and Prosecution 38 Violations 38 List of Most Common Violations 39 Prosecution and Penalties 39 Page Appendices Appendix A Definition of Terms 40 Appendix B Public-Use Data 43 Appendix C Privacy Act of Appendix D IES-Specific Laws 45 Appendix E Memorandum of Understanding 48 Appendix F License Document 49 Appendix G Affidavit of Nondisclosure 50 Appendix H Restricted-Use Databases 51 Appendix I Availability of Restricted-Use Data 52 Appendix J Security Plan Form 53 Appendix K On-Site Inspection Guideline 54 Appendix L E-Government Act of 2002, Title V, Subtitle A, Confidential 55 Information Protection Appendix M Close-out Certification Form 56 6

7 Introduction Restricted-Use Data The Institute of Education Sciences (IES) collects survey and research data containing individually identifiable information, which is confidential and protected by federal law. IES uses the term "restricted-use data" for such information. The terms restricted-use data and "subject data" are synonymous. (See Appendix A, Definition of Terms.) Public-Use Data IES uses the term "public-use data" for survey data when the individually identifiable information has been coded or deleted to protect the confidentiality of survey respondents. Access to public-use data does not require a license, for these data are available to the general public. For more information on public-use data, see NCES online catalog at Overview of Laws The relevant laws about survey data that contain individually identifiable information are found in the following statutes. More information on these laws is in Chapter 1: The Privacy Act of 1974 and the Computer Security Act of 1987 provide for the security and privacy of personal data maintained by the federal government. These laws pertain to all restricted-use data. Unlawful disclosure is a misdemeanor and is subject to a fine up to $5,000. The E-Government Act of 2002, Title V, subtitle A, Confidential Information Protection mandates the protection of individually identifiable information that is collected by any federal agency for statistical purposes. Unauthorized disclosure of these data is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000. The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data that are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism to the Attorney General. The Education Sciences Reform Act of 2002 requires IES to collect, analyze, and disseminate education data and to protect the confidentiality of individually identifiable information. An unauthorized disclosure is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000. Licensing Procedures IES will lend restricted-use data only to qualified organizations in the United States, using a strict licensing process described in Chapter 2. Individual researchers must apply through an organization (e.g., a university or a research institution). To qualify, an organization must submit: An online Formal Request through the NCES electronic application system, see: a signed License document (see Appendix F), 7

8 executed Affidavits of Nondisclosure (see Appendix G), and a signed Security Plan Form (see Appendix J). Security Procedures Restricted-use data must be kept secure at all times. Secure means that the data are protected from unauthorized access or disclosure in accordance with the terms of the License and the specified security procedures outlined in the Security Plan Form. The security procedures described in Chapter 3 include the computer security requirements for the standalone, desktop computer configuration. On-Site Inspections Under the terms of the License, IES has the right to conduct unannounced, unscheduled inspections of the data user's site to assess compliance with the terms of the License and the required security procedures. The inspection procedures are described in Chapter 4. 8

9 Chapter 1: Laws 1.1 Basic Statutes The protection of survey databases that contain individually identifiable information is founded on the following statutes: Privacy Act of 1974, E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA), Education Sciences Reform Act of 2002, USA Patriot Act of 2001, and E-Government Act of Privacy Act of 1974 The Privacy Act of 1974 states that federal agencies are required "to collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that adequate safeguards are provided to prevent misuse of such information." To do this, the law protects the privacy of personal data maintained by the federal government. It imposes numerous requirements upon federal agencies to safeguard the confidentiality and integrity of personal data, and puts limits on the use of the data. (For the full text of the law, see Appendix C.) Privacy Standards Under the direction of the Office of Management and Budget, federal agencies issue policies, standards, and guidelines for protecting personal data under this law. Computer Security Guideline A key standard for this law is the Federal Information Processing Standard Publication (FIPSPUB) 41, Computer Security Guidelines for Implementing the Privacy Act of FIPSPUB 41 provides guidance to ensure that government-provided individually identifiable information is protected in accordance with federal statutes and regulations. 1.3 E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA) The law is enacted to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." FISMA requires each agency to develop, document, and implement an agencywide information security program providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 9

10 1.4 Education Sciences Reform Act of 2002 The Education Sciences Reform Act of 2002 (ESRA 2002) authorizes the Institute of Education Sciences (IES) to collect and disseminate information about education in the United States. Collection is most often done through surveys. This Act, which incorporates and expands upon the Privacy Act of 1974, requires strict procedures to protect the privacy of individual respondents. This Act replaces the National Education Statistics Act of 1994 (NESA 1994). (For the full text of the law, see Appendix D.) Confidentiality Standards Individually identifiable information about students, their families, and their schools cannot be revealed. No person may: use any individually identifiable information for any purpose other than a statistical purpose, except in the case of terrorism (see USA Patriot Act below); make any publication whereby the data furnished by any particular person can be identified; or permit anyone other than the individuals authorized by the IES Director to examine the individual reports. The Act requires IES to develop and enforce standards to protect the confidentiality of students, their families, and their schools in the collection, reporting, and publication of data. The IES confidentiality statute is found in Public Law , section 183 (or as codified in 20 U.S.C. 9573). Violations Anyone who violates the confidentiality provisions of this Act when using the data shall be found guilty of a class E felony and can be imprisoned up to five years, and/or fined up to $250, USA Patriot Act of 2001 The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data that are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism to the Attorney General. Any data obtained by the Attorney General for these purposes must be treated as confidential information, consistent with such guidelines as the Attorney General, after consultation with the Secretary, shall issue to protect confidentiality. This amendment was incorporated into ESRA (For the full text of the law, see Appendix D). 10

11 1.6 E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection Following the enactment of the Patriot Act, the 107th Congress enacted the E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) which requires that all individually identifiable information supplied by individuals or institutions to a federal agency for statistical purposes under a pledge of confidentiality must be kept confidential and may only be used for statistical purposes. 1 Any willful disclosure of such information for nonstatistical purposes, without the informed consent of the respondent, is a class E felony, punishable by up to five years in prison, and/or a fine up to $250, As amended by Federal Register, 62:

12 Chapter 2: Licensing Procedures 2.1 What Data Are Licensed Only Restricted-Use Data Are Licensed When IES conducts surveys, the data collected sometimes include individually identifiable information, which is confidential and protected by law. 2 Restricted-use data is the term for survey data that contain individually identifiable information. Only restricted-use data are licensed. (Note: Public-use data are not licensed.) The restricted-use data provided to the licensee and all information derived from those data, and all data resulting from merges, matches, or other uses of the data provided by IES with other data are subject to the License and are referred to in the License as subject data. Individually identifiable information includes, but is not limited to, personal data in the following categories: education, financial, medical, employment, criminal, or personal identifiers (e.g., name, number, symbol), and other identifying particulars assigned to the individual (e.g., fingerprint, voiceprint, photograph). Available Restricted-Use Databases The restricted-use databases that are available to organizations in the United States through these licensing procedures are listed at the NCES online catalog at: 2.2 What is a License? Three similar License documents are used to lend restricted-use data: Memorandum of Understanding, License, and Contract. All three are referred to as Licenses and, when signed, are equally binding on the licensees. Memorandum of Understanding The Memorandum of Understanding is used to provide data to federal agencies or offices, external to IES. A copy of the memorandum is in Appendix E. License The License is used to provide data to non-federal agencies or offices, including organizations working on analysis contracts with IES. Appendix F contains a copy of the License. 2 Because federal laws cannot be enforced outside of the United States, restricted-use data cannot leave the United States. 12

13 Contracts When IES has a contract involving the collection of restricted-use data, the contract boiler plate includes the provisions of the License. Content of License Documents In brief, each of the three License types: defines the information subject to this agreement, specifies the individuals who may have access to subject data (PPO and professional/technical and support staff), describes limitations of disclosure, lists administrative requirements, requires that publications based on the data be sent to IES prior to disseminating them to non-licensed individuals, requires the organization to contact IES in case of (suspected) breaches of security, requires the organization to agree to unannounced and unscheduled inspections, reviews the security requirements for the maintenance of, and access to, subject data, and describes penalties for violations. 2.3 Who Needs a License Document Virtually every organization needs a License document to authorize individual access to restricted-use data. The type of organization determines the specific License document. Matching Organizations to License Documents Type of Organization Congress Federal Agencies * IES Staff Non-Federal Agencies/Groups/Organizations State and Local Agencies Research Laboratories Data Collection Contractor (to IES) Contractor (to IES Contractor) Survey Pre-Tests Analysis Contractor License Document Type Memorandum of Understanding Memorandum of Understanding Oath of office replaces Memorandum; staff must sign a form provided by the IES Data Security Office to obtain the data. License License License * This includes other components of the Department of Education. License "Boiler Plate" in Contract License "Boiler Plate" in Contract License "Boiler Plate" in Contract License 13

14 Restricted-Use Data and IES Staff IES staff are subject to all of the obligations and restrictions protecting restricted-use data. Further, IES staff are not authorized to issue restricted-use data files. Any in-house staff needing access to restricted-use data must request and obtain clearance through the IES Data Security Office. Staff must sign a form provided by the IES Data Security Office to obtain the data. Staff who have restricted-use data must keep it under lock and key. These data may not be stored on a laptop computer and computer output cannot be left out in the open when not in use. (See Chapter 3, Security Procedures, for full details.) The data may not be removed from the office area. These restricted-use data must be returned to the IES Data Security Office prior to the departure of an employee or Fellow. IES staff should refer all requests for License documents, affidavits, or restricted-use data to the IES Data Security Office. These requests should not be handled by program staff. Pre-test Monitoring Staff perform pre-tests to review the data collection process and to test the validity of the survey instrument. Because respondent data are acquired to test the proposed survey design, the responses collected in this pre-test sampling may contain individually identifiable information and thus may be subject to restricted-use data security procedures. The IES Contracting Office Technical Representative (COTR) who is responsible for conducting these pre-tests, must submit a written description of what is involved in the survey design review to the IES Data Security Office. The COTR must also obtain an executed Affidavit of Nondisclosure from all persons outside IES who will review the survey design and will have access to these data. The COTR will keep all original Affidavits of Nondisclosure in the project file and be able to produce them on request. Contractors An organization or individual performing work under contract must complete the licensing process unless the collection of restricted-use data is required to fulfill the terms of the contract. The conditions spelled out in the License are incorporated in the boiler plate of the contract. Sub-Contractors (to Contractors) are bound by the terms in the contractual agreement of the contractor. Those terms include the provision that data cannot leave the licensed site. Subcontractors needing to use data at a remote site must get their own Licenses. A contractor who proposes to do independent research using the restricted-use data to perform work for IES must submit a formal, written request. If the purpose of the independent research is different from the purpose for using the data as stated in the contract, the contractor must follow the standard application process for obtaining a License (see section 2.4). 14

15 2.4 Applying for a License Summary of Procedures To qualify for and receive restricted-use data, applicants must submit all four documents: Formal Request through the IES online electronic license application system, (see: License Document (see Appendix E or F), Affidavits of Nondisclosure (see Appendix G), and Security Plan Form (see Chapter 3 and Appendix J). The Formal Request will ask for specific items of information. This information will be collected through the IES electronic license application system at: After the initial online Formal Request has been reviewed and approved by the IES Data Security Office, applicants are to prepare, complete and return the signed License, notarized Affidavits, and the Security Plan Form. Mail all documents, signed by the Principal Project Officer (PPO) and Senior Official (SO) to the IES Data Security Office. The IES Data Security Office staff will review the submitted documents for content and completeness. In the online Formal Request, you must demonstrate that the proposed research project meets basic requirements of applicability to education research. The Security Plan Form must be complete and must comply with the Security Procedures outlined in Chapter 3. IES may request additional information regarding the proposed use of the data, the resources available to the researcher to perform the analysis, or other aspects of the project that is deemed necessary. All questions IES has about an organization's application must be resolved in writing prior to the formal approval of the License. The License documents are only submitted to the IES front office for final approval when all required information has been received and the License application is complete. The decision to grant a License is solely that of the Director. The License approval becomes effective on the date of the Director's signature. Formal Request The Formal Request will ask for specific items of information (see checklist below). Your information will be collected through the IES electronic license application system at: 15

16 Formal Request Checklist (1) The name, title, and contact information of the Principal Project Officer (2) The name, title, and contact information of the Senior Official (3) The name, title, and contact information of the System Security Officer (4) The title of the database(s) requested for access (5) A description of the statistical research project and how the restricted-use database will be used and justification for access (6) The names and titles of other persons who will use and access the data (7) The estimated loan period (not to exceed five years) The Formal Request requirements are described in more detail below: (1) The name, title, and contact information of the Principal Project Officer who will oversee the daily operations. To qualify for and receive a restricted-use data License and the restricted-use data, academic applicants must have the rank of post-doctoral fellow or above to serve as the Principal Project Officer (PPO). Visiting professors or scholars cannot be a PPO. Applicants in research laboratories or analytic consulting firms must have the rank of research associate or above to serve in this role. (The PPO is the researcher in charge of the day-to-day operations involving the use of subject data and is responsible for liaising with the IES Data Security Office.) (2) The name, title, and contact information of the Senior Official having the signatory authority to legally bind the organization to the provisions of the License contract. (3) The name, title, and contact information of the Systems Security Officer who will oversee the security of the data. The PPO can also serve as the SSO. (4) The title of the database(s) the organization wants to access. (5) A description of the statistical research project. The description must fulfill the following conditions: explain why the public-use version of the data is insufficient for your research needs, describe the final research objective and use of the data, describe the sector(s) of the community that will be served by the product, and assure IES that the data will not be used for any administrative or regulatory purpose in addition to, or instead of, the statistical purpose described. Note: The purpose of the research for which the data are requested must accord with the purpose for which the survey data were collected. Descriptions of those purposes are in Appendix H. If an applicant requests access to subject data that are currently under an IES Contract/Task Order with the applicant, the applicant must provide: the contract number, and the name of the Contracting Office Technical Representative (COTR). 16

17 (6) The names and titles of other persons who will be accessing the database. Generally, the staff is limited to a maximum of seven (7) persons. Exceptions to this limit may be authorized by the IES Data Security Office. Written documentation authorizing the exception must be obtained from IES. Please note that requests for additional data or amendments to an existing License will only be accepted from the PPO. (7) The estimated loan period necessary for accessing the database. Loan periods are in oneyear increments and may not exceed a five-year period. The loan period starts on the date that IES signs the License document. License Document The License document is a legally binding agreement or contract. License Document Checklist Review the appropriate License document Insert the name of the Agency or organization to be licensed in the appropriate blank(s) The Senior Official (or appropriate government official) signs the License The Principal Project Officer signs the License Indicate loan period (not to exceed five years) Send the original signed License to the IES Data Security Office Affidavit of Nondisclosure An Affidavit of Nondisclosure must be executed for each person who will have access to the data. Affidavit of Nondisclosure Checklist Obtain a notarized Affidavit of Nondisclosure from each person who may come in contact with the subject data, as well as any non-security/police personnel who have key access to the secure project office. (For more information on this requirement, see Chapter 3.) Fill in all requested information on the Affidavit Send the original signed and notarized Affidavits of Nondisclosure to the IES Data Security Office Appendix G contains a copy of the Affidavit of Nondisclosure form. In general, an individual who is not an IES employee and who wants access to licensed individually identifiable information must execute an Affidavit of Nondisclosure and submit it, through a licensed organization, to the IES Data Security Office. IES allows up to seven (7) individuals per License to have access to the subject data. The one-page Affidavit contains: the name of the survey(s) to be accessed (see below), 17

18 an oath or affirmation not to disclose individually identifiable information to any person not similarly sworn, the penalties for disclosure, and the signature and imprint of a notary public. Affidavits are data-specific : they are only valid for the data listed on the form. Include all data names and all subsequent followups that will be needed; for example, the base year data and all subsequent followups. Notarized documents cannot be amended by IES. To access a followup of a listed database or to access data that was not listed on the notarized affidavit, another affidavit must be executed. Organizations must promptly notify IES of any changes in project staff. (See Section 2.6, Amending a License.) Security Plan Form The Security Plan Form contains the detailed procedures for protecting the subject data. Security Plan Form Checklist Review Chapter 3, Security Procedures Fill out the Security Plan Form found in Appendix J Send the original, signed Security Plan Form to the IES Data Security Office Restricted-use data must be kept secure at all times, meaning that the individually identifiable information is secure from unauthorized disclosure or modification. Security procedures are explained in detail in Chapter 3; the Security Plan Form can be found in Appendix J. Note: In lieu of the Security Plan Form, federal agencies must submit documentation verifying that the agency has an approved Certification and Accreditation (C&A) for its IT systems. Federal agencies must adhere to the security requirements set forth in the MOU. Receiving the Requested Materials Once the License is approved by IES, the IES Data Security Office sends the licensee the data and other items. Final Product Package Contents The new licensee receives the License package that includes: a copy of the original License and Security Plan Form copies of the Affidavits of Nondisclosure Restricted-use database media materials and instructional materials to assist the project staff in the use of the data. The data CD-ROM includes a - (1) Warning/Restriction Label (2) Loan Expiration Date 18

19 The package is sent Restricted Delivery - Certified Mail to the licensee. All restricted-use data on CD-ROM are encrypted and require a passphrase to open. The PPO must the IES Data Security Office with a list of encrypted files in order to obtain the needed passphrases. Note: Only one copy of a database in any format can be borrowed at a time. A licensee who has a copy of the database and wants a revised version must return the original via certified mail before the revised version will be sent. (See Section 2.6, Amending a License.) Under no circumstances may the original or a duplicate of the database be removed or electronically communicated from the licensee's secure project office. 2.5 Required Licensee Activity The licensee is responsible for all terms and conditions in the License document, the Security Plan Form and related materials. (See the appropriate License document in Appendix E or F for full requirements.) This section addresses three major administrative requirements: Maintaining the License file, including copies of all executed Affidavits, Submitting research publications for disclosure review prior to publication or access by non-licensed individuals, and The licensee's responsibility to be ready for inspection at all times. Maintaining the License File The Principal Project Officer (PPO) is accountable for having all pertinent information listed below in a License file. License File Checklist The PPO shall maintain a License file in the secure project office where the licensee stores the restricted-use data. This file must contain the following items: copies of s received from the IES Data Security Office the License and its attachments, which are: (1) a description of research (2) the Privacy Act of 1974 (5 U.S.C. 552a) and IES-specific laws (3) the Security Plan Form any amendments to the License document and related s a current list of all individuals who may have access to the data, along with copies of their notarized Affidavits of Nondisclosure Note: All project staff shall both READ and UNDERSTAND this material. All individuals who have access to the subject data must be fully aware of the required security requirements and procedures. (The Principal Project Officer is 19

20 directly responsible for ensuring that all project staff understand and implement all of the required security procedures.) Submitting Research Publications If the licensee intends to publish or distribute any information product that uses the subject data where unauthorized persons will have access, then the licensee must submit an advance copy of the product to the IES Data Security Office via prior to its publication or access by nonlicensed individuals. Once the document has been cleared by the IES Data Security Office, the licensee may distribute the document as desired. Research Publication Checklist The PPO shall forward a copy of each publication containing information based on restricted-use data to the IES Data Security Office for a disclosure review. For all datasets produced by IES or NCES, licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricteduse data). For all other datasets, including administrative datasets produced by other agencies within the Department of Education (e.g. EDFacts, CRDC, etc.), disclosure avoidance standards will vary. The required disclosure avoidance measures for these non- IES datasets will be listed in a readme.txt file included with that specific dataset. Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The licensee must not release the information product to any person not authorized to access the data until formally notified by IES that no potential disclosures were found. This review process usually takes 3 to 5 business days. Passing On-Site Inspections The License (Section IV.G) gives IES the right to conduct unannounced, unscheduled inspections of the licensee's secure project office to assess compliance with the provisions of the License, security procedures (see Chapter 3), and the licensee's submitted Security Plan Form. (The inspection procedures are described in Chapter 4, and a copy of the On-Site Inspection Guideline can be found in Appendix K.) Any violation found during the inspection may subject the licensee to immediate revocation of the License by IES, or report of the violation to the U.S. Attorney. On-site Inspection Checklist When an on-site inspection is conducted, IES will provide formal notification of any violations of the required security procedures. If violations are reported, the licensee must take the following steps: Correct all identified security violations. Notify IES in writing of the corrective measures. 20

Security Plan Form. Institute of Education Sciences (IES) Restricted-use Data. Name of Institution / Organization:

Security Plan Form. Institute of Education Sciences (IES) Restricted-use Data. Name of Institution / Organization: Security Plan Form Institute of Education Sciences (IES) Restricted-use Data Name of Institution / Organization: PPO Name: PPO Address: (no P.O. Box number; specify building name, department, and room

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS SHP-570A 1/14 SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD For NON-CHANNELERS The goal of this document is to provide adequate security and integrity for criminal history record information (CHRI)

More information

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development 7.0 Information Security Protections The aggregation and analysis of large collections of data and the development of interconnected information systems designed to facilitate information sharing is revolutionizing

More information

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information:

In order to adjudicate an appeal, OPM requires claimants or their authorized representatives to submit the following information: SYSTEM NAME: Health Claims Disputes External Review Services. SYSTEM LOCATION: Office of Personnel Management, 1900 E Street NW., Washington, DC 20415. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

MCOLES Information and Tracking Network. Security Policy. Version 2.0

MCOLES Information and Tracking Network. Security Policy. Version 2.0 MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY] 2012 MODEL STC AGREEMENT INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY] AS THE STATE TRANSMISSION/TRANSFER COMPONENT

More information

INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM

INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM The completed form should be sent to: Box EBC Washington D.C.20231 Block 1- Requestor Status The Certificate requester should check the appropriate

More information

CHAPTER 267. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:

CHAPTER 267. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey: CHAPTER 267 AN ACT concerning third party administrators of health benefits plans and third party billing services and supplementing Title 17B of the New Jersey Statutes. BE IT ENACTED by the Senate and

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

ACTION COLLECTION SERVICES INC. BUSINESS ASSOCIATE AGREEMENT (FOR MEDICAL PROVIDERS)

ACTION COLLECTION SERVICES INC. BUSINESS ASSOCIATE AGREEMENT (FOR MEDICAL PROVIDERS) ACTION COLLECTION SERVICES INC. BUSINESS ASSOCIATE AGREEMENT (FOR MEDICAL PROVIDERS) THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ), is dated as of, by and between Action Collection Services Inc. (

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

NOTICE TO GRANDPARENT

NOTICE TO GRANDPARENT A Power of Atrney may be created if the parent, guardian, or cusdian of the child is any of the following: 1. Seriously ill, incarcerated, or about be incarcerated 2. Temporarily unable provide financial

More information

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon This document is scheduled to be published in the Federal Register on 02/11/2016 and available online at http://federalregister.gov/a/2016-02788, and on FDsys.gov Billing Code: 5001-06 DEPARTMENT OF DEFENSE

More information

R430. Health, Health Systems Improvement, Child Care Licensing.

R430. Health, Health Systems Improvement, Child Care Licensing. R430. Health, Health Systems Improvement, Child Care Licensing. R430-3. General Child Care Facility Rules Inspection and Enforcement. R430-3-1. Legal Authority and Purpose. This rule is adopted pursuant

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE FORWARD I am pleased to introduce the mission and authorities of the Office of Inspector General for the Farm Credit Administration. I hope this

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

SUITE SOLUTIONS MEMBERSHIP GUIDELINES Clients using EZ-Filing Inc. Software

SUITE SOLUTIONS MEMBERSHIP GUIDELINES Clients using EZ-Filing Inc. Software SUITE SOLUTIONS MEMBERSHIP GUIDELINES Clients using EZ-Filing Inc. Software The following procedures are needed to establish your account in order to download three bureau credit reports into your bankruptcy

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05)

Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) This Business Associate Agreement (the Agreement ) is entered into as of, 20, (the Effective Date ) by and between, (the Covered

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

The United States Federal Trade Commission (FTC) and the Office of the Data Protection Commissioner of Ireland (collectively, the Participants), MEMORANDUM OF UNDERSTANDING BETWEEN THE UNITED STATES FEDERAL TRADE COMMISSION AND THE OFFICE OF THE DATA PROTECTION COMMISSIONER OF IRELAND ON MUTUAL ASSISTANCE IN THE ENFORCEMENT OF LAWS PROTECTING PERSONAL

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BA Agreement ) amends, supplements, and is made a part of the Agreement ( Agreement ) entered with Client ( CLIENT ) and International

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

APPENDIX H SECURITY ADDENDUM

APPENDIX H SECURITY ADDENDUM APPENDIX H SECURITY ADDENDUM The following pages contain the legal authority, purpose, and genesis of the Criminal Justice Information Services Security Addendum (H2-H4); the Security Addendum itself (H5-H6);

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

Privacy Impact Assessment of Automated Loan Examination Review Tool

Privacy Impact Assessment of Automated Loan Examination Review Tool Privacy Impact Assessment of Automated Loan Examination Review Tool Program or application name: Automated Loan Examination Review Tool (ALERT) System Owner: Board of Governors of the Federal Reserve System

More information

Covered California. Terms and Conditions of Use

Covered California. Terms and Conditions of Use Terms and Conditions of Use Contents: Purpose Of This Agreement Privacy Policy Modification Of This Agreement Permission To Act On Your Behalf How We Identify You Registration Additional Terms For Products

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS

STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS PURPOSE The purpose of establishing this policy is to ensure Virginia Union University s compliance with the Family Educational Rights and Privacy Act

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Fair Credit Reporting Act Compliance Guide

Fair Credit Reporting Act Compliance Guide Fair Credit Reporting Act Compliance Guide FAIR CREDIT REPORTING ACT TABLE OF CONTENTS Page I. INTRODUCTION...1 A. Increased Applicant and Employee Rights...1 B. What is a "Consumer Report?"...1 C. What

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft when he intentionally

More information

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

H. R. 5005 11 SEC. 201. DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION. H. R. 5005 11 (d) OTHER OFFICERS. To assist the Secretary in the performance of the Secretary s functions, there are the following officers, appointed by the President: (1) A Director of the Secret Service.

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems

Privacy Impact Assessment Of the. Office of Inspector General Information Technology Infrastructure Systems Privacy Impact Assessment Of the Office of Inspector General Information Technology Infrastructure Systems Program or application name: Office of Inspector General Information Technology Infrastructure

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT

COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT This Agreement is binding on the individual and the company, or other organization or entity, on whose behalf such individual accepts this Agreement, that

More information

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009 MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009 Current Laws: A person may not knowingly, willfully, and with

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Huron County Juvenile Court

Huron County Juvenile Court Huron County Juvenile Court Instructions for: CHILD CARE POWER OF ATTORNEY AND CARETAKER AUTHORIZATION AFFIDAVIT This packet was prepared for your convenience and ease in filing a child care power of attorney

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Contract (Agreement) is entered into by and between, as a Covered Entity as defined in relevant federal and state law, and HMS Agency, Inc., as their

More information

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015

EPA Classification No.: CIO-2150.3-P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: 12-003 Review Date: 08/06/2015 Issued by the EPA Chief Information Officer, Pursuant to Delegation 1-19, dated 07/07/2005 INFORMATION SECURITY INTERIM MAINTENANCE PROCEDURES V1.8 JULY 18, 2012 1. PURPOSE The purpose of this procedure

More information

Application for Consumer Finance License

Application for Consumer Finance License NC Office of the Commissioner of Banks Location: 316 W. Edenton Street, Raleigh, NC 27603 Mail Address: 4309 Mail Service Center, Raleigh, NC 27699-4309 Telephone: 919/733-3016 Fax: 919/733-6918 Internet:

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Responsibilities of Custodians and Health Information Act Administration Checklist

Responsibilities of Custodians and Health Information Act Administration Checklist Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures

More information

United States Trustee Program

United States Trustee Program United States Trustee Program Privacy Impact Assessment for the Credit Counseling/Debtor Education System (CC/DE System) Issued by: Larry Wahlquist, Privacy Point of Contact Reviewed by: Approved by: Vance

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.

More information

Business Associate Contract

Business Associate Contract Business Associate Contract THIS CONTRACT is made and entered into by and between Imagine! (hereinafter called Contractor ), a not-for-profit Community Centered Board, duly incorporated and existing under

More information

Casey State Bank Online Banking Agreement and Disclosure

Casey State Bank Online Banking Agreement and Disclosure Casey State Bank Online Banking Agreement and Disclosure Please carefully read this entire agreement and keep a copy for your records. By pressing the I ACCEPT button, you agree to the terms and conditions

More information

My Nymeo Online Banking Agreement and Disclosure

My Nymeo Online Banking Agreement and Disclosure My Nymeo Online Banking Agreement and Disclosure Please read this Agreement and Disclosure in full and, click on "I agree" to self-enroll in My Nymeo Online Banking. This My Nymeo Online Banking Agreement

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS 1. Purpose This directive establishes the Department of Homeland

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

DRAFT BUSINESS ASSOCIATES AGREEMENT

DRAFT BUSINESS ASSOCIATES AGREEMENT DRAFT BUSINESS ASSOCIATES AGREEMENT THIS AGREEMENT is made this day of, 20, by and among, a Corporation organized under the laws of the State of (hereinafter known as "Covered Entity") and organized under

More information

INFORMATION FOR ASBESTOS HANDLING LICENSE APPLICANTS

INFORMATION FOR ASBESTOS HANDLING LICENSE APPLICANTS STATE OF NEW YORK > DEPARTMENT OF LABOR DIVISION OF SAFETY AND HEALTH LICENSE AND CERTIFICATE UNIT BUILDING 12, ROOM 161 STATE CAMPUS ALBANY, NY 12240 (518) 457>2735 GENERAL INFORMATION INFORMATION FOR

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

Access Control Policy

Access Control Policy Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you

More information

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date

Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date Level 2 & 3: Product 1/2 Business Associates Agreement Business Associate Agreement Washtenaw Community Health Organization Effective Date: insert date This Business Associate Agreement is made as of the

More information

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

More information

Identification and Authentication on FCC Computer Systems

Identification and Authentication on FCC Computer Systems FCC Computer Security TABLE OF CONTENTS Desk Reference 1 INTRODUCTION...1 Identification and Authentication on FCC Computer Systems 1.1 PURPOSE...1 1.2 BACKGROUND...1 1.3 SCOPE...2 1.4 AUTHORITY...2 2

More information

ONLINE EXPRESS INTERNET BANKING CUSTOMER AGREEMENT

ONLINE EXPRESS INTERNET BANKING CUSTOMER AGREEMENT ONLINE EXPRESS INTERNET BANKING CUSTOMER AGREEMENT This Agreement is entered into between Farmers Trust & Savings Bank (the "Bank") and any customer of the Bank who subscribes to the Bank s Online Express

More information

STATE OF CONNECTICUT REGULATION of the DEPARTMENT OF CONSUMER PROTECTION (NAME OF AGENCY)

STATE OF CONNECTICUT REGULATION of the DEPARTMENT OF CONSUMER PROTECTION (NAME OF AGENCY) STATE OF CONNECTICUT REGULATION of the DEPARTMENT OF CONSUMER PROTECTION (NAME OF AGENCY) Concerning APPRAISAL MANAGEMENT COMPANIES (SUBJECT MATTER OF REGULATION) (NEW) Section 1. The Regulations of Connecticut

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the AGREEMENT ) is entered into this (the "Effective Date"), between Delta Dental of Tennessee ( Covered Entity ) and ( Business Associate

More information

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008 Current Laws: A person commits identity theft if he or she: Knowingly

More information

Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING

Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING Section by Section DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY AND INFORMATION SHARING Sec. 1. Department of Homeland Security Cybersecurity Authority Section 1(a) amends Title II of the Homeland

More information

APPRAISAL MANAGEMENT COMPANY

APPRAISAL MANAGEMENT COMPANY STATE OF ARKANSAS APPRAISER LICENSING AND CERTIFICATION BOARD APPRAISAL MANAGEMENT COMPANY STATUTES 1 ARKANSAS APPRAISER LICENSING AND CERTIFICATION BOARD APPRAISAL MANAGEMENT COMPANY STATUTES SUBCHAPTER

More information

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities.

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities. M E M O R A N D U M TO: FROM: All Directors, Officers and Covered Persons of Power Solutions International, Inc. and its Subsidiaries Catherine Andrews General Counsel and Insider Trading Compliance Officer

More information

RULE. Office of the Governor Real Estate Appraisers Board. Appraisal Management Companies (LAC 46:LXVII.Chapters 301-309)

RULE. Office of the Governor Real Estate Appraisers Board. Appraisal Management Companies (LAC 46:LXVII.Chapters 301-309) RULE Office of the Governor Real Estate Appraisers Board Appraisal Management Companies (LAC 46:LXVII.Chapters 301-309) Under the authority of the newly enacted Appraisal Management Company Licensing and

More information

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.

More information

Limited Data Set Data Use Agreement

Limited Data Set Data Use Agreement Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health

More information